Top GDPR Myths and Monsters

There seems to be a lot of confusion around GDPR that needs to be clarified. Some are innocuous others are downright dangerous and could make companies non-compliant and open to heavy penalties. So far we have identified the following misconceptions, the list is no doubt likely to grow.

1. Automatic fines up to 4% or 20 million Euros for non-compliance to GDPR

Well, yes and no. This is the most severe penalty for most severe breaches due to non-compliance. To get the maximum fine you would have bodged it big time and you would deserve it. I doubt if it was minor infringement or oversight it would attract such harsh penalty. For smaller non-conformities, there is more likely to be warnings leading up to major fines for persistent violations. Watch out for early examples, which are likely to be large fines to set the tone.

2. GDPR does not apply to UK as we are Brexiting

Not correct, as the ICO has stated that the UK will comply. Even if we did not, we would expect to have similar privacy protection in local laws, less we wanted to be treated as a country not having adequacy.

3. Everyone Needs a Data Protection Officer (DPO)

No they don’t. A DPO is mandatory only under three specific circumstances. I explained and elaborated on the three situations where a DPO is required in my previous blog on the role of a DPO here and therefore will not repeat it here again. Please do check the other blog post if you are interested in the details.

If your organisation falls within those three categories of Controller or Processor then you must have a designated DPO.

4. Organisations with less than 250 employees do not need a DPO

Not true. This was from a draft article. Whether you need a DPO or not is entirely dependent on the type of pricessing you do and not the size of the organisation.

See my article at for more information on the circumstances and the attributes of a DPO.

5. The Compliance Date of 25th of May 2018 will be delayed.

Highly unlikely. Organisations had 2 years to prepare. GDPR was published in 2016 and actually came into force on 25th of May 2016 and is applicable from 25th May 2018. This means organisations should have started their compliance journey in 2016.

6. That the DPO is a person

The GDPR refers to the DPO and it can easily be misconstrued as a single person. It is not a person. It is a role or a function. If you think about it, it may be a fine case for a small organisation to have a single person or even share the role between organisations under contract. However for a for a large organisation with multiple jurisdictions, locations etc. it would simply not be possible for a single person to assume and competently discharge the duties of a DPO. Add to that the depth and breadth of knowledge required to discharge that duty, such as having some level of legal knowledge, IT, IT/Cyber/Information security, architecture, systems, gap analysis, DPIA, Risk Assessment and Management, secure development, incident management, stakeholder management for starters.

So rather than thinking that the DPO is a person, think of it as a role, a function, a centre of knowledge, such as Internal Audit or Compliance. Both have to be independent and conflict free.

See our virtual DPO services at

7. GDPR ONLY applies to digital information

Not true. GDPR also applies to personal data in hardcopy or printed documents (See below)

8. GDPR Applies to all hard-copy personal data

This not the case. The GDPR does not apply to all hard-copy (printed) information. It only applies to personal information in a “structured” filing system. Therefore, if you have ad-hoc papers containing personal information in a filing cabinet then this is not covered by GDPR. By structured, I believe it means having some sort of index that will allow easy access or search of the personal data based on some sort of index, e.g. documents sorted by names in an alphabetical order.

9. GDPR Does NOT apply to organisations with less than 5000 employees

Not true. Compliance requirements are dependent of type of processing rather than size of the company. For example as marketing company with 10 employees could be processing millions, if not hundreds of millions of records automatically. Automated processing allows for that. You do not need a super computer or hundreds of staff to carry out this level of processing.

10. It is mandatory to register with the Supervisory Authority (e.g. the ICO)

Not so. Not required by the GDPR anyway. However some, including the ICO may require regisration in the future. The ICO is mulling registration.

11. You need Consent to process data

Not so, there are 5 other legal basis you can rely to process data. Consent is only one of them.

12. You need Explicit Consent

No, not for ordinary personal data processing. Explicit consent is only required if you process “special categories” of personal data.

13. You need to hold an inventory of personal data

Not exactly. GDPR requires a record of processing activities, which should be much wider than a n inventory as we understand it. It should include all your processing activities, reasons, legal basis, category, classifications, interfaces and so on.

14. GDPR will stop direct marketing

Not so, whilst GDPR applies to personal data digital marketing is governed by PECR. PECR dictates what you can and can’t do with digital communication. So you need to be aware of both.

15. Business data does not contain personal data

Even business data can contain personal data. This is a grey area but you should nevertheless be cognisant of what constitutes personal data and the context of its use. The difintion of personal data is wide. This is not the same a personally identifiable data. More to come.

16. You cannot use your existing data

You can still use you existing data as long as it meets the GDPR requirements. So if you have a marketing database and you can be prove that it is compliant with GDPR then you do not have to get rid of it. Ask youself whether you can prove that you have Consent to market? Although, the way you market will change. For other data types, you need to do the same, look at your legal basis to start with.

17. You have to report every data breach to the ICO

Not all breaches have to be reported. Especially if they do not involve personal data. Even if a breach involves personal data, then you only need to report it if there is high risk to the data subjects privacy and rights.

How to Manage GDPR Incidents and Breach Notifications

18. You have report everything within 72 hours

If possible, but with undue delay and within 72 hours if possible. The key is to be transpaarent to the Supervisory Authority. It is more important to report it first once you are aware of the breach and then provide the information as it comes into your possession.

How to Manage GDPR Incidents and Breach Notifications

19. Personal Data is the same as PII

Not so, Personal data is much wider than PII. Whereas PII data is data that identifies a person. Personal data is data that can directly or indirectly, in itself or with combination of other data, including descriptors/attributes can identify an individual’s.

20. There are official GDPR DPO Certifications or Qualifications

Nope, there are no official GDPR DPO qualifications. Many organisations are touting their certifications/training as “DPO Ready”. This not so, there has not been yet and official curriculum for GDPR DPO certification that is approved by the EDPB.

21. GDPR does not apply to backup or archived data

Archived or backed up data, even if encrypted is still data considered to be being processed and therefore GDPR shall apply

22. GDPR does not apply to encrypted data

GDPR applies but the data, if involved in a breach may not have to be reported as it is not accessible. The encryption obviously will have to be sufficiently strong.

23. You require record of your processing activity

Yes and no. Not if you have less than 250 employees.

I know it is stupid to exempt anyone from this requirement.

24. Consent is always required to process personal data

No, not always. Consent is only one of the lawful basis for processing, there 5 others, which are just as valid. IF consent is no appropriate one of the others may be.

See my article The Why, What, How, Where, When and Whom of GDPR


This and other articles can be found at

Author: Moyn Uddin GDPR-P, CISSP, CISA, CISM, CRISC, ISO27001 LA, TOGAF  is a certified GDPR and Cybersecurity practitioner. He is also the co-author of RESILIA – Cyber Resilience Best Practices from AXLEOS, published in 2014 and the author of the accompanying Pocketbook. He is also the lead author of the Cyber Resilience Best Practices training course for ITpreneuers


If you need any assistance with any aspects of GDPR implementation or cyber security please contact us.